The Secure Electronic Transactions standard may not be languishing after all.
SET, the credit card industry's controversial attempt to make itself relevant for the Internet, has taken some noticeable steps forward-and maybe even some strides.
Just this week, at a conference it was sponsoring, RSA Data Security Inc. conducted an on-line transaction that literally brought SET to life in front of more than 2,000 witnesses.
RSA president Jim Bidzos put his American Express card at risk and bought a $250 piece of software from a merchant on Open Market Inc.'s OM- Transact system. He called the transaction "a significant milestone for electronic commerce."
The witnesses cheered. Until now, any SET milestones were within the MasterCard or Visa systems and were not multivendor.
"This shows SET interoperates-you don't need to have systems from a single vendor," said Scott Schnell, RSA marketing vice president.
Almost a year after the two bank card associations published their framework for SET, which in turn happened almost six months after political infighting scuttled their initial agreement in principle, the standard seems close at hand, and very real.
Mr. Bidzos' transaction was, to be sure, a marketing event. RSA's data encryption technology is at the heart of SET, and the company sells a tool kit to smooth a complex adoption process. RSA and many of its licensees have a vested interest in making the standard workable.
But completion is still months away. The current published version of SET is used for testing. The final version is not due until midyear, and some critics don't expect SET to be completely operational until next year.
"People are finding that SET is a lot harder to implement than they thought it would be," Mr. Bidzos said in an interview during the conference.
Some potential users are impatient.
At a recent American Banker conference, William Melton, Cybercash Inc.'s chief executive officer, complained that SET was developing too slowly and too much like a formal standards deliberation, to meet the needs of the fast-moving Internet.
But John Adams, senior vice president of engineering at Security Dynamics Technologies Inc., RSA's parent, said Wednesday that SET is an example of the "consortium standards" process that is best suited to the Internet and is faster than the traditional "bureaucratic" standards- setting model.
Steve Crocker, Cybercash co-founder and chief technology officer,said his company performed its "first secure Internet card transaction" in April 1995. The company intends to adopt SET when it is ready. He referred to the current test version sarcastically as version 0.8. (The first formal releases of software are customarily tagged 1.0.)
"We are in the peculiar position for a start-up of dealing with a legacy system of our own design," Mr. Crocker told the RSA meeting. "We are struggling with the fact that SET is not fully here."
When he said, "Today, SET volumes are zero, and a year from now we expect there will be nonzero numbers," one audience member whispered, "We hope."
"The banking industry, unfortunately, does not move at Internet speed," said William Powar, a recently retired Visa International executive who heads an electronic commerce consulting firm, Venture Architects, in Palo Alto, Calif.
For most of the security-technology believers at the RSA meeting, there was reason not only for hope, but also for faith.
The enthusiasm for encryption and authentication in general, and SET in particular, buoyed Mr. Bidzos. "It used to be, here's crypto, now try to figure out a way to make it work," he said. "Now there are real specs out there to build on. We expect to do very well with our tool kit."
At least one other company has the same idea in mind. Terisa Systems Inc., a Los Altos, Calif., firm that RSA helped start, this week announced the general availability of its competing tool kit for software developers, SecureWeb Payments. Terisa also said MasterCard and Visa had published its draft "reference implementation" of SET, a key step in the development process.
SET-related product announcements were rife at the RSA conference, reinforcing the impression of real movement.
International Business Machines Corp., which was involved in the first full-fledged MasterCard SET transaction at the end of 1996, came out with IBM Registry, calling it the cornerstone of its SET offerings. Registry gives banks and card organizations the ability to issue and manage the requisite digital certificates. IBM will also operate this business as a service, called World Registry.
In addition, IBM demonstrated the interoperability of its Net.Commerce Payment electronic wallet with Visa-branded SET certificates from Verisign Inc. IBM also participated with Verisign, Verifone Inc., and Maithean Corp. in another show of cross-compatibility.
"Many feel SET will transform the way we shop - the way the magnetic stripe on credit cards did 20 years ago," said Kathy Kincaid, IBM's director of information technology security programs. With the security of SET, she said, card issuers effectively tell consumers, "It's O.K. to purchase things ... Consumers can shop in confidence that the merchant is real, and the merchant is confident it can get paid."
Meanwhile, GTE Corp., which has a close digital certification relationship with MasterCard and American Express, announced commercial availability of its Cybertrust product line.
GTE is offering Cybertrust Certification Authority to companies that want to operate their own systems and Cybertrust Customer-Branded Service to those that want to outsource. Cybertrust Partner Forum is for systems testing and development programs.
The outsourcing and private-label options were similar to what Verisign announced earlier in the week.
The enthusiasm about SET's progress spilled over to smart cards-the growing consensus being that they could be used to make digital certificates portable and Internet commerce accessible from any card- reading device.
French chip card manufacturer Gemplus joined with several other vendors to demonstrate smart-card-based cryptography. "That's my idea of strong authentication," said Bradley Wood, a technologist from Sandia National Laboratories in New Mexico.
Smart cards would be "readily acceptable to consumers-they are comfortable with them - and (the cards) confer a valid sense of security," said Tom Carty, GTE's director of security and electronic commerce. "The probability is it will happen slower than we would like to think, but it will" happen.
"Last year at this conference when I brought up smart cards, people said, 'What do we need them for?," said Mr. Powar of Venture Architects.
"Now look what everybody is talking about."
